[BUG] False positive for Plone and Zope versions
ewohnlich opened this issue · 1 comments
ewohnlich commented
I believe these are false positives because the package version does not appear to be in the range described the result. I am assuming this is due to Jake and not OSSIndex, apologies if that is incorrect.
Zope deserves some explanation because it's a bit odd. Zope and Zope2 are two separate packages both used by Plone (the result of some decisions decades ago). I am not sure if it is mistakenly treating Zope2 as version 2.0.0 of Zope; that may be a red herring. For the Plone issue I don't even have a guess, it just says it is on version 6.0.9 but I am on 6.0.13.
[18/408] - Plone@6.0.13 [VULNERABLE]
Vulnerability Details for Plone@6.0.13
└── ⚠ ID: CVE-2024-22889
└── ╭─ CVE-2024-22889 ─────────────────────────────────────────────────────╮
│ │
│ [CVE-2024-22889] CWE-497: Exposure of System Data to an Unauthorized │
│ Control Sphere │
│ Due to incorrect access control in Plone version v6.0.9, remote │
│ attackers can view and list all files hosted on the website via │
│ sending a crafted request. │
│ │
│ Ratings: │
│ - 7.5 HIGH - Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, CWEs: │
│ 497 │
│ │
│ References: │
│ - OSS Index [Ref: CVE-2024-22889] │
│ URL: │
│ https://ossindex.sonatype.org/vulnerability/CVE-2024-22889?component │
│ -type=pypi&component-name=plone&utm_source=python-oss-index-lib%401. │
│ 1.1&utm_medium=integration │
│ │
╰──────────────────────────────────────────────────────────────────────╯
[62/408] - Zope@5.10 [VULNERABLE]
Vulnerability Details for Zope@5.10
├── ⚠ ID: CVE-2000-1211
│ └── ╭─ CVE-2000-1211 ──────────────────────────────────────────────────────╮
│ │ │
│ │ [CVE-2000-1211] CWE-269: Improper Privilege Management │
│ │ Zope 2.2.0 through 2.2.4 does not properly perform security │
│ │ registration for legacy names of object constructors such as DTML │
│ │ method objects, which could allow attackers to perform unauthorized │
│ │ activities. │
│ │ │
│ │ Ratings: │
│ │ - 7.5 HIGH - Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P, CWEs: 269 │
│ │ │
│ │ References: │
│ │ - OSS Index [Ref: CVE-2000-1211] │
│ │ URL: │
│ │ https://ossindex.sonatype.org/vulnerability/CVE-2000-1211?component- │
│ │ type=pypi&component-name=zope&utm_source=python-oss-index-lib%401.1. │
│ │ 1&utm_medium=integration │
│ │ │
│ ╰──────────────────────────────────────────────────────────────────────╯
├── ⚠ ID: CVE-2000-1212
│ └── ╭─ CVE-2000-1212 ──────────────────────────────────────────────────────╮
│ │ │
│ │ [CVE-2000-1212] CWE-284: Improper Access Control │
│ │ Zope 2.2.0 through 2.2.4 does not properly protect a data updating │
│ │ method on Image and File objects, which allows attackers with DTML │
│ │ editing privileges to modify the raw data of these objects. │
│ │ │
│ │ Ratings: │
│ │ - 5.0 MEDIUM - Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N, CWEs: 284 │
│ │ │
│ │ References: │
│ │ - OSS Index [Ref: CVE-2000-1212] │
│ │ URL: │
│ │ https://ossindex.sonatype.org/vulnerability/CVE-2000-1212?component- │
│ │ type=pypi&component-name=zope&utm_source=python-oss-index-lib%401.1. │
│ │ 1&utm_medium=integration │
│ │ │
│ ╰──────────────────────────────────────────────────────────────────────╯
└── ⚠ ID: CVE-2011-4924
└── ╭─ CVE-2011-4924 ──────────────────────────────────────────────────────╮
│ │
│ [CVE-2011-4924] CWE-79: Improper Neutralization of Input During Web │
│ Page Generation ('Cross-site Scripting') │
│ Cross-site scripting (XSS) vulnerability in Zope 2.8.x before │
│ 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before │
│ 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote │
│ attackers to inject arbitrary web script or HTML via vectors related │
│ to the way error messages perform sanitization. NOTE: this issue │
│ exists because of an incomplete fix for CVE-2010-1104 │
│ │
│ Sonatype's research suggests that this CVE's details differ from │
│ those defined at NVD. See │
│ https://ossindex.sonatype.org/vulnerability/CVE-2011-4924 for │
│ details │
│ │
│ Ratings: │
│ - 6.1 MEDIUM - Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, │
│ CWEs: 79 │
│ │
│ References: │
│ - OSS Index [Ref: CVE-2011-4924] │
│ URL: │
│ https://ossindex.sonatype.org/vulnerability/CVE-2011-4924?component- │
│ type=pypi&component-name=zope&utm_source=python-oss-index-lib%401.1. │
│ 1&utm_medium=integration │
│ │
╰──────────────────────────────────────────────────────────────────────╯
[63/408] - Zope2@4.0 [VULNERABLE]
Vulnerability Details for Zope2@4.0
├── ⚠ ID: CVE-2000-1211
│ └── ╭─ CVE-2000-1211 ──────────────────────────────────────────────────────╮
│ │ │
│ │ [CVE-2000-1211] CWE-269: Improper Privilege Management │
│ │ Zope 2.2.0 through 2.2.4 does not properly perform security │
│ │ registration for legacy names of object constructors such as DTML │
│ │ method objects, which could allow attackers to perform unauthorized │
│ │ activities. │
│ │ │
│ │ Ratings: │
│ │ - 7.5 HIGH - Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P, CWEs: 269 │
│ │ │
│ │ References: │
│ │ - OSS Index [Ref: CVE-2000-1211] │
│ │ URL: │
│ │ https://ossindex.sonatype.org/vulnerability/CVE-2000-1211?component- │
│ │ type=pypi&component-name=zope2&utm_source=python-oss-index-lib%401.1 │
│ │ .1&utm_medium=integration │
│ │ │
│ ╰──────────────────────────────────────────────────────────────────────╯
├── ⚠ ID: CVE-2000-1212
│ └── ╭─ CVE-2000-1212 ──────────────────────────────────────────────────────╮
│ │ │
│ │ [CVE-2000-1212] CWE-284: Improper Access Control │
│ │ Zope 2.2.0 through 2.2.4 does not properly protect a data updating │
│ │ method on Image and File objects, which allows attackers with DTML │
│ │ editing privileges to modify the raw data of these objects. │
│ │ │
│ │ Ratings: │
│ │ - 5.0 MEDIUM - Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N, CWEs: 284 │
│ │ │
│ │ References: │
│ │ - OSS Index [Ref: CVE-2000-1212] │
│ │ URL: │
│ │ https://ossindex.sonatype.org/vulnerability/CVE-2000-1212?component- │
│ │ type=pypi&component-name=zope2&utm_source=python-oss-index-lib%401.1 │
│ │ .1&utm_medium=integration │
│ │ │
│ ╰──────────────────────────────────────────────────────────────────────╯
└── ⚠ ID: CVE-2015-7293
└── ╭─ CVE-2015-7293 ──────────────────────────────────────────────────────╮
│ │
│ [CVE-2015-7293] CWE-352: Cross-Site Request Forgery (CSRF) │
│ Zope - Multiple CSRF Vulnerabilities in Zope as ZMI is mostly │
│ unprotected from CSRF vulnerabilities │
│ │
│ The web application does not, or can not, sufficiently verify │
│ whether a well-formed, valid, consistent request was intentionally │
│ provided by the user who submitted the request. │
│ │
│ Ratings: │
│ - 8.8 HIGH - Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, CWEs: │
│ 352 │
│ │
│ References: │
│ - OSS Index [Ref: CVE-2015-7293] │
│ URL: │
│ https://ossindex.sonatype.org/vulnerability/CVE-2015-7293?component- │
│ type=pypi&component-name=zope2&utm_source=python-oss-index-lib%401.1 │
│ .1&utm_medium=integration │
│ │
╰──────────────────────────────────────────────────────────────────────╯
madpah commented
Thanks for your ticket @ewohnlich.
I can confirm this is not a bug in jake and that the above data is coming from OSS Index.
If you're interested in why that is in Sonatype's data, you'd have to be a Customer and engage with Sonatype Customer Support.
Thanks!